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DETAILED ACTION 

1. Claims 1-11, 13, 15-17, 19-21, and 23-26 are pending. 

2. A request for continued examination under 37 CFR 1.114, 
including the fee set forth in 37 CFR 1.17(e), was filed in this 
application after final rejection. Since this application is' 
eligible for continued examination under 37 CFR 1.114, and the 
fee set forth in 37 CFR 1.17(e) has been timely paid, the 
finality of the previous Office action has been withdrawn 
pursuant to 37 CFR 1.114. Applicants submission filed on 
05/01/2007 has been entered. 

Response to Amendment 

3. It is noted that claim 21 has the status identifier of 
"Previously Presented" when there are amendments to this claim 
and the status identifier should read "Currently Amended". 

Claim Rejections - 35 USC §112 

4. The following is a quotation of the first paragraph of 35 
U.S.C. 112: 

The specification shall contain a written description of the invention, and 
of the manner and process of making and using it, in such full, clear, 
concise, and exact terms as to enable any person skilled in the art to 
which it pertains, or with which it is most nearly connected, to make and 
use the same and shall set forth the best mode contemplated by the inventor 
of carrying out his invention. 
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5. Claims 1-11, 13, 15-17, 19-21, and 23-26 rejected under 35 
U.S.C. 112, first paragraph, as failing to comply with the 
written description requirement. The claim (s) contains subject 
matter which was not described in the specification in such a 
way as to reasonably convey to one skilled in the relevant art 
that . the inventor (s), at the time the application was filed, had 
possession of the claimed invention. The independent claims now 
recite that the invalid transitions are direct transitions from 
the first state to the invalid state. However, the 
specification never describes the transitions as being direct. 
The specification actually teaches that the transitions are not 
necessarily direct. Specifically referring to figure 6 where 
the final state (606) can be reached directly through path 614 
but it can also be reached in directly passing first through 
paths 610 or 612 to state 604 and then through path 616 to the 
final state (606). Therefore, the specification does not 
provide adequate support for the newly added limitations of 
claims 1, 19, 20, and 21. 

6. Any claims not specifically addressed are rejected by 
virtue of their . dependencies . 
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Claim Rejections - 35 USC § 103 

7. The following is a quotation of 35 U.S.C. 103(a) which 
forms the basis for all obviousness rejections set forth in this 
Office action: 

(a) A patent may not be obtained though the invention is not identically 
disclosed or described .as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at 
the time the invention was made to a person having ordinary skill in the 
art to which said- subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

8. Claims 1-2, 10, 11, 13, 15-17, 19-21, 25, and '26 are 
rejected under 35 U.S.C. 103(a) as being unpatentable over 

I 'Anson, et al (EPO 0474932)., in view of Park (US 6363458), in 
view .of Shanklin et al (US 6487666) and further in view of 
Mahajan et al (US 6628624). 

As per claims 1, and 19-21, I' Anson discloses identifying- 
at least two valid states associated with the network protocol 
in which a first host system communicating with a second host 
system using the network protocol may be placed; defining at 
least one valid transition between a first state of the at least 
two valid states and a second state of the at least two valid 
states; determining that a connection under the network protocol 
is in the first state; analyzing the stream based at least in 
part on the determination that, the connection under the network 
protocol is in a first state to determine whether the packet is 
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associated with the at least one valid transition (see p. 3 
lines 22-39 and p. 4 lines 27-49). 

I'Anson fails to disclose defining an invalid state with a 
plurality of transitions to the invalid state and expressing the 
at least one valid transition and the invalid transition in the. 
form of a regular expression and using the regular expression to 
analyze the network protocol stream. 

However, Park teaches the use of an invalid state with a 
plurality of transitions to the invalid state (see column 7 line 
15 through column 8 line 41 and Figure 2a) and Shanklin et al 
teaches the use of regular expressions (see column 6 lines 39- 
57). 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use the invalid state 
with a plurality of transitions to the invalid state of Park and 
Shanklin et al's regular expressions defining all transitions to 
analyze the protocol of I'Anson. 

Motivation to do so would have been to invalidate requests 
and to recognize and evaluate identifiers, special symbols, or 
other tokens. 

The modified I'Anson, Park, and Shanklin et al system fails 
to explicitly disclose the transitions to the invalid state 
being direct. 
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However, Mahajan et al teaches direct transitions from a 
first state to a final state (see column 5 line 53 through 
column 6 line 8 ) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art for the transitions of the 
modified I' Anson, Park, and Shanklin et al system to be direct. 

.Motivation to do so would have been to allow the 
information to be forwarded immediately thereby increasing the 
speed of the system. 

As per claim 2, the modified -I' Anson, Park, Shanklin et al,. 
and Mahajan et al system discloses compiling the regular 
expression into computer code (see Shanklin et al column 6 lines 
39-57) . 

As per claims 10-11, the modified I'Anson, Park, Shanklin 
et al, and Mahajan et al system discloses keeping track of which 
of the at least two states the first host system currently is in 
and changing the tracked state of the first host system from the 
first of the at least two states to the second of the at least 
two states in the event the analysis of the network protocol 
stream indicates the at least one valid transition has taken 
place (see I'Anson p. 4 lines 27-49). 

As per claim 13, the modified I'Anson, Park, Shanklin et 
al, and Mahajan et al system discloses the invalid transition 
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indicates that a security-related event has taken or is taking 
place and defining a further state corresponding to the invalid 
operation (see p. 4 lines 18-26 where the security related event 
is the intrusion of Shanklin et al as applied with Park) . 

As per claims 15-17, the modified I'Anson, Park, Shanklin 
et al, and Mahajan et al system discloses keeping track of which 
state, from the set comprising the at least two states and the 
further state, the first host system currently is in; and 
changing the state of the first host system to the further state 
in the event that the analysis of the network protocol stream 
indicates the invalid operation has taken place and in the event 
that the analysis of the network protocol stream indicates the 
invalid operation has taken place, an indication that the 
invalid operation has taken place then discontinuing analysis of 
the network protocol stream once the state of the first host 
system has been changed to the further state (see I'Anson page 
4) . 

As per claims 25 and 26, the modified I'Anson, Park, 
Shanklin et al, and Mahajan et al system discloses the invalid 
transitions correspond to a plurality of disallowed security 
events, and performing error handling (see Shanklin column 2 
lines 16-21 and Park column 8 lines 12-20) . 
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9. Claims 3-4 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I 'Anson., Park, Shanklin et al, 
and Mahajan et al system as applied to claim 2 above, and 
further in view of Wijendran (AWK-to-C Translator) . 

As per claims 3-4, the modified I'Anson, Park, Shanklin et 
al, and Mahajan et al system fails to disclose the use of 
optimal C programming language code. 

However, Wijendran teaches this optical C code (see page 

1) - 

At the time of the invention it would have been obvious to 
a person of ordinary. skill in the art to use Wijendran' s optical 
C code in the modified I'Anson, Park, Shanklin et al, and 
Mahajari et al system. 

Motivation to do so would have been to maximize runtime 
performance (see page 1) . . 

10. Claim 5 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Park, Shanklin et al, 
and Mahajan et al system as applied to claim 2 above, and 
further in view of Mangione-Smith (How many vector registers are 
useful?) . 

As per claim 5, .the modified I'Anson, Park, Shanklin et al, 
and Mahajan et al system fails to disclose the use of nearly 
optimal computer code. 
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However, Mangione-Smith teaches nearly optical code (see 
page 1 ) . 

At the time of the invention it- would have been obvious -to 
a person of ordinary skill in the art to use Mangione-Smith' s 
nearly optical code in the modified I' Anson, Park, Shanklin et 
al, and Mahajan et al system. 

Motivation to do so would have been that nearly optimal 
code, requires less vector registers (see page 1). 
11. Claims 6-9 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I' Anson, Park, Shanklin et al, 
and Mahajan et al system as applied to claim 1 above, and 
further in view of Blam (US 6467041) . 

As per claim 6, the modified I'Anson, Park, Shanklin et al, 
and-Mahajan et al system fails to disclose copying the stream to 
a third party to be analyzed. 

However, Blam teaches a third party analyzer (see column 6 
lines 5-29) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Blam' s third party 
analyzer to analyze the protocol analyzer of the modified 
I'Anson, Park, Shanklin et al, and Mahajan et al system. 
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Motivation to do so would have been to perform the analysis 
regardless of what resources are on the network or client (see 
column 6 lines 5-29) . 

As per claims 7-9, the modified I'Anson, Park, Shanklin et 
al, Mahajan et al and Blam system discloses the network protocol 
stream comprises packets of data, each packet being associated 
with a sequence number indicating its position relative to other 
packets in the protocol stream, and the third system reassembles 
the packets into the order indicated by the respective sequence 
numbers of the packets received where a copy of the network 
protocol stream, is maintained in the third system until analysis 
has been completed and in the event the packets are received by 
the third system in sequence number order, a copy is maintained 
in the third system only of those packets comprising the portion 
of the network protocol currently under analysis (see I'Anson 
pages 4-5 and Blam column 6 lines 5-29) . 

12. Claim 23 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Park, Shanklin et al, 
and Mahajan et al system as applied to claim 1 above, and 
further in view of Brown et al (US 6604075) . 

As per claim 23, the modified I'Anson, Park, Shanklin et 
al, and Mahajan et al system fails to disclose performing error 
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handling that is specific for one of the plurality of invalid 
transitions . 

However, Brown et al teaches the error handling of a 
specific invalid state (see column 11 lines 9-18). 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to include error handling 
of a specific invalid state in the modified I'Anson, Park, 
Shanklin et al, and Mahajan et al system. 

Motivation to do so would have been that the error needs to 
be handled by an application or user with specific knowledge 
associated with the processing. 

13. Claim 24 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Park, Shanklin et al, 
and Mahajan et al system as applied to claim 1 above, and 
further in view of Oran (US 6275574). 

As per claim 24, the modified I'Anson, Park, Shanklin et 
al, and Mahajan et al system fails to disclose grouping the 
regular expressions according to their similarity. 

However, Oran teaches such grouping (see column 8 lines 8- 

21) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to group the regular 
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expressions of the. modified I'Anson, Park, Shanklin et al, and 
Mahajan et al system. 

Motivation to do so would have been to define precedence 
for the regular expressions. 

Response to Arguments 

14. Applicant's arguments with respect to claims 1 and 19-21 
have been considered but are moot in view- of the new ground(s) 
of rejection. 

Conclusion 

15. The prior art made of record and not relied upon is 
considered pertinent to applicant's disclosure.. Tsuda et al. and 
Crayford teach methods of direct transitions to a final state. 

• Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Michael 
Pyzocha whose telephone number is (571) 272-3875. The examiner 
can normally be reached on 7:00am - 4:30pm first Fridays of the 
bi-week off. 

If attempts to reach the examiner by telephone are 
unsuccessful, the examiner's supervisor, Emmanuel Moise can be 
reached on (571) 272-38655. The fax phone number for the 
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organization where this' application or proceeding is assigned is 
703-872-9306. 

Information regarding the status of an application may be 
obtained from the Patent Application Information Retrieval 
(PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR s.ystem, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free) . 



MJP 
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